Unless otherwise noted, this method must be called before any any other web service function, as the Authorization header value is required to call most methods.
A successful transaction will receive a 200 status code.
POST /Token
{
"grant_type": "client_credentials",
"client_id": "{email/username}",
"client_secret": "{password}"
}
POST /Token
{
"grant_type": "refresh_token",
"refresh_token": "{refresh token}",
}
POST /Token
{
"grant_type": "authorization_code",
"code": "{authorization code}",
"resource_type": "{resource type}"
}
InvalidResourceType - Invalid resource type.
InvalidRequest - The request is invalid.
IdTokenInvalid - Invalid id token.
HTTP Status Code 401 Error Codes (error property):
InvalidCredentials - Invalid credentials.
AccountUnverified - User account has not been verified.
IpRestriction - User's location is restricted by IP address. The IP address of the user's current location is invalid.
PasswordExpired - Password expired. The user must change their password.
AccountDisabled - Account is disabled.
AccountLockedOut - Too many invalid login attempts. The account has been disabled.
RefreshTokenInvalid - Invalid refresh token or expired.
IdTokenInvalid - Invalid id token.
MFARequired - MFA Required. To MFA via email, call the /token/challenge (POST) endpoint to continue.
To MFA via Authenticator app, call this endpoint again (MFA Example above).